quasar | 6526c22d7ce386857149b6b5615c1c24cab7691496a1d3d849ead5d3e0b7b0c7

General

Target

Uni.exe
Size

409KB
MD5

78f15f52152da9355915d646d5f4f1e6
SHA1

514623af0d40968570977bb0993bc775b5dcb6cb
SHA256

6526c22d7ce386857149b6b5615c1c24cab7691496a1d3d849ead5d3e0b7b0c7
SHA512

13752ce045c2f7f0be187a6688b4032579fce7f17e8b77f66f192ee472aa58e60a1c5ea34dd85cb704e621afe4f228df880536159a7a907c41fbfeba3180a87d
SSDEEP

12288:ypbJjGukXuXQiwWlaJKwuKOASp2uLBUS:2VauOWERPIpB

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

C2

panel-slave.gl.at.ply.gg:57059

panel-slave.gl.at.ply.gg:27892

Mutex

$Sxr-rpL8EItHN3pqIQQVy2

Attributes

encryption_key
PXEHWy52mqnqS2Hd39SK
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2364-1-0x0000000000050000-0x00000000000BC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 2 IoCs

Processes:

Client.exe1K57BfqeICMh.exe

pid process

1652 Client.exe
3780 1K57BfqeICMh.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 ip-api.com
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3944 3780 WerFault.exe 1K57BfqeICMh.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exe

pid process

3200 schtasks.exe
3880 SCHTASKS.exe
2664 schtasks.exe

pid	process
1652	Client.exe
3780	1K57BfqeICMh.exe

flow	ioc
12	ip-api.com

pid	pid_target	process	target process
3944	3780	WerFault.exe	1K57BfqeICMh.exe

pid	process
3200	schtasks.exe
3880	SCHTASKS.exe
2664	schtasks.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Uni.exeClient.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	2364	Uni.exe
Token: SeDebugPrivilege	1652	Client.exe
Token: 33	4812	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4812	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Client.exe1K57BfqeICMh.exe

pid process

1652 Client.exe
3780 1K57BfqeICMh.exe

pid	process
1652	Client.exe
3780	1K57BfqeICMh.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Uni.exeClient.exe

description	pid	process	target process
PID 2364 wrote to memory of 3200	2364	Uni.exe	schtasks.exe
PID 2364 wrote to memory of 3200	2364	Uni.exe	schtasks.exe
PID 2364 wrote to memory of 3200	2364	Uni.exe	schtasks.exe
PID 2364 wrote to memory of 1652	2364	Uni.exe	Client.exe
PID 2364 wrote to memory of 1652	2364	Uni.exe	Client.exe
PID 2364 wrote to memory of 1652	2364	Uni.exe	Client.exe
PID 2364 wrote to memory of 3880	2364	Uni.exe	SCHTASKS.exe
PID 2364 wrote to memory of 3880	2364	Uni.exe	SCHTASKS.exe
PID 2364 wrote to memory of 3880	2364	Uni.exe	SCHTASKS.exe
PID 1652 wrote to memory of 2664	1652	Client.exe	schtasks.exe
PID 1652 wrote to memory of 2664	1652	Client.exe	schtasks.exe
PID 1652 wrote to memory of 2664	1652	Client.exe	schtasks.exe
PID 1652 wrote to memory of 3780	1652	Client.exe	1K57BfqeICMh.exe
PID 1652 wrote to memory of 3780	1652	Client.exe	1K57BfqeICMh.exe
PID 1652 wrote to memory of 3780	1652	Client.exe	1K57BfqeICMh.exe

C:\Users\Admin\AppData\Local\Temp\Uni.exe
"C:\Users\Admin\AppData\Local\Temp\Uni.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3200

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2664

C:\Users\Admin\AppData\Local\Temp\1K57BfqeICMh.exe
"C:\Users\Admin\AppData\Local\Temp\1K57BfqeICMh.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 1712
4⤵
- Program crash
PID:3944

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Uni.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:3880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1300,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:8
1⤵
PID:3904

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2c0 0x3c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3780 -ip 3780
1⤵
PID:1568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1K57BfqeICMh.exe
Filesize
276KB

MD5
120f3a38b2f4eb0f800ebe47ffa5e76b

SHA1
bed5148cc6a53e12a86ed635bb79135a568edd78

SHA256
3a195d762fd1e2f7f93eb4cbcef8fa9b600a6f94fc43b1c1c157b2c5e069154f

SHA512
60e66274203624afa422578d9807b21cbcc99de855dd665aa54753c957886677e358a2579ade098970c7ea3f9c3f2476c9e028fdabaac6ee991f09093fa52aff

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
Filesize
409KB

MD5
78f15f52152da9355915d646d5f4f1e6

SHA1
514623af0d40968570977bb0993bc775b5dcb6cb

SHA256
6526c22d7ce386857149b6b5615c1c24cab7691496a1d3d849ead5d3e0b7b0c7

SHA512
13752ce045c2f7f0be187a6688b4032579fce7f17e8b77f66f192ee472aa58e60a1c5ea34dd85cb704e621afe4f228df880536159a7a907c41fbfeba3180a87d

Download Submit
memory/1652-18-0x00000000066C0000-0x00000000066CA000-memory.dmp

Filesize
40KB

Download
memory/1652-13-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/1652-20-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/1652-19-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/1652-14-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/2364-6-0x00000000057E0000-0x00000000057F2000-memory.dmp

Filesize
72KB

Download
memory/2364-2-0x0000000004FF0000-0x0000000005594000-memory.dmp

Filesize
5.6MB

Download
memory/2364-7-0x0000000005D20000-0x0000000005D5C000-memory.dmp

Filesize
240KB

Download
memory/2364-3-0x0000000004B70000-0x0000000004C02000-memory.dmp

Filesize
584KB

Download
memory/2364-16-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/2364-0-0x00000000750AE000-0x00000000750AF000-memory.dmp

Filesize
4KB

Download
memory/2364-5-0x0000000004AC0000-0x0000000004B26000-memory.dmp

Filesize
408KB

Download
memory/2364-4-0x00000000750A0000-0x0000000075850000-memory.dmp

Filesize
7.7MB

Download
memory/2364-1-0x0000000000050000-0x00000000000BC000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads